On July 23, 2024, we monitored an attack transaction on the Ethereum blockchain: https://etherscan.io/tx/0x491cf8b2a5753fdbf3096b42e0a16bc109b957dc112d6537b1ed306e483d0744.
The targeted project was Spectra Protocol. The Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider.
In this attack, the attacker profited a total of 188,013 asdCRV, equivalent to 73,325 USD.
Detailed Analysis of the Attack
First, the attacker checked the allowance of asd CRV Token
from the address 0x279a7dbfae376427ffac52fcb0883147d42165ff
to the Spectra Protocol and the balance of asd CRV
in that address.
Next, the attacker invoked the execute
function to launch the attack on Spectra Protocol. The execute
function's code is as follows:
Finally, the input data leads to the call of _dispatch
, with the function's code shown below:
From the above code, we can see that it determines actions based on _commandType
. In this attack, _commandType
was 0x12
, so command = 0x12 & 0x3f = 0x12
, corresponding to KYBER_SWAP
.
Thus, the attacker’s code segment is as follows. We can see that the kyberRouter
and targetData
can be controlled, allowing the attacker to use the Spectra Protocol contract to call any contract with arbitrary parameters.
The attacker’s inputs
data is parsed as follows:
00000000000000000000000043e54c2e7b3e294de3a155785f52ab49d87b9922: address(kyberRouter)
000000000000000000000000eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee: address(tokenIn)
0000000000000000000000000000000000000000000000000000000000000000: uint256(amountIn)
000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa: address(tokenOut)
0000000000000000000000000000000000000000000000000000000000000001: uint256
00000000000000000000000000000000000000000000000000000000000000c0: bytes index = (32 * 6)
0000000000000000000000000000000000000000000000000000000000000064: bytes length = 100
23b872dd000000000000000000000000279a7dbfae376427ffac52fcb0883147d42165ff000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa0000000000000000000000000000000000000000000027d03995eb8cff1bfcc300000000000000000000000000000000000000000000000000000000
We found that kyberRouter
has been manipulated to the address 0x43e54c2e7b3e294de3a155785f52ab49d87b9922
, tokenIn
to the address 0eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
, and tokenOut
to the address 0xba8ce86147ded54c0879c9a954f9754a472704aa
.
We can see that Constants.ETH
corresponds to 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE
So, the code follows this path:
The targetData
is parsed as follows:
23b872dd: signature
000000000000000000000000279a7dbfae376427ffac52fcb0883147d42165ff
000000000000000000000000ba8ce86147ded54c0879c9a954f9754a472704aa
0000000000000000000000000000000000000000000027d03995eb8cff1bfcc3
Since the transferFrom
function has the signature 0x23b872dd
, the parameters for transferFrom
are from
= 0x279a7dbfae376427ffac52fcb0883147d42165ff
, to
= 0xba8ce86147ded54c0879c9a954f9754a472704aa
, and value
= 188,013,365,080,870,249,823,427
.
Given that the kyberRouter
is controlled as 0x43e54c2e7b3e294de3a155785f52ab49d87b9922
, representing asdCRV Token
, the attacker essentially manipulated Spectra Protocol to transfer 188,013,365,080,870,249,823,427
asdCRV from 0x279a7dbfae376427ffac52fcb0883147d42165ff
to 0xba8ce86147ded54c0879c9a954f9754a472704aa
(an address controlled by the attacker). Thus, the attack was successfully executed.
Summary
The vulnerability occurred because the targeted contract did not strictly validate the parameters passed by the attacker, allowing the attacker to craft specific inputData
that caused the victim's contract to call any contract with arbitrary parameters. Ultimately, the attacker used these crafted parameters to have the victim's contract call transferFrom
, transferring tokens authorized to the victim's contract to an address controlled by the attacker. It is recommended that project teams implement multiple layers of validation in their code logic and, during pre-launch audits, engage multiple auditing firms for cross-verification.